GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Tue Jul 15, 2008 10:26 pm Post subject: [ GLSA 200807-09 ] Mercurial: Directory traversal |
|
|
Gentoo Linux Security Advisory
Title: Mercurial: Directory traversal (GLSA 200807-09)
Severity: normal
Exploitable: remote
Date: July 15, 2008
Bug(s): #230193
ID: 200807-09
Synopsis
A directory traversal vulnerability in Mercurial allows for the renaming of
arbitrary files.
Background
Mercurial is a distributed Source Control Management system.
Affected Packages
Package: dev-util/mercurial
Vulnerable: < 1.0.1-r2
Unaffected: >= 1.0.1-r2
Architectures: All supported architectures
Description
Jakub Wilk discovered a directory traversal vulnerabilty in the
applydiff() function in the mercurial/patch.py file.
Impact
A remote attacker could entice a user to import a specially crafted
patch, possibly resulting in the renaming of arbitrary files, even
outside the repository.
Workaround
There is no known workaround at this time.
Resolution
All Mercurial users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/mercurial-1.0.1-r2" |
References
CVE-2008-2942
Last edited by GLSA on Sat Nov 06, 2010 4:26 am; edited 4 times in total |
|